Medium severity6.1NVD Advisory· Published Aug 14, 2017· Updated Jun 17, 2026
CVE-2017-9802
CVE-2017-9802
Description
The Javascript method Sling.evalString() in Apache Sling Servlets Post before 2.3.22 uses the javascript 'eval' function to parse input strings, which allows for XSS attacks by passing specially crafted input strings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.sling:org.apache.sling.servlets.postMaven | < 2.3.22 | 2.3.22 |
Affected products
2Patches
Vulnerability mechanics
References
8- www.securityfocus.com/bid/100284nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-8c82-9rgp-4qvrghsaADVISORY
- issues.apache.org/jira/browse/SLING-7041nvdIssue TrackingVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-9802ghsaADVISORY
- packetstormsecurity.com/files/143758/Apache-Sling-Servlets-Post-2.3.20-Cross-Site-Scripting.htmlnvdWEB
- www.securityfocus.com/archive/1/541024/100/0/threadednvdWEB
- lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91@%3Cdev.sling.apache.org%3EghsaWEB
- lists.apache.org/thread.html/2f4b8333e44c6e7e0b00933bd4204ce64829952f60dbb6814f2cdf91%40%3Cdev.sling.apache.org%3Envd
News mentions
0No linked articles in our index yet.